Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ESXi-HypervisorRansomware.

Upgrade to Pro
THREAT-ESXi-HypervisorRansomware Microsoft Sentinel · KQL

Detect ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption in Microsoft Sentinel

Modern ransomware affiliates increasingly bypass Windows endpoints entirely and encrypt directly on the VMware ESXi hypervisor, since ESXi has no support for traditional AV/EDR agents and a single host often backs dozens of production VMs. The attack chain — used by ESXiArgs, Cheerscrypt, Royal, Black Basta, Akira, and LockBit's ESXi locker variant — is consistent across families: gain access via stolen vCenter/ESXi credentials, exposed SLP/OpenSLP services, or an unpatched CVE; enable the ESXi Shell/SSH (TSM-SSH) service if it is disabled by default; enumerate every running VM on the host (`esxcli vm process list` or `vim-cmd vmsvc/getallvms`); force-kill every VM process in rapid succession (`esxcli vm process kill --type=force`) so no file locks block encryption; then iterate the datastore(s) encrypting or corrupting each VMDK/VMSD/VMX file, typically with an embedded OpenSSL-based routine, before dropping a ransom note into every datastore directory. Because there is no endpoint agent, detection must rely on ESXi/vCenter log forwarding — Shell.log (interactive shell command history), hostd.log (VM lifecycle and datastore file operations), vobd.log (VMkernel observation events), and auth.log (SSH session activity) — shipped to a SIEM via syslog, plus vCenter task/event auditing where vCenter itself has not also been compromised or shut down.

MITRE ATT&CK

Tactic
Impact

KQL Detection Query

Microsoft Sentinel (KQL)
kusto
// THREAT-ESXi-HypervisorRansomware (T1489 Service Stop -> T1486 Data Encrypted for Impact)
// Requires ESXi/vCenter syslog forwarded to the Syslog table (Azure Monitor Agent Linux syslog collection)
let ESXiHosts = dynamic(["<YOUR_ESXI_HOST_FQDNS_OR_IPS>"]); // populate from vCenter inventory; leave empty to match on ProcessName instead
let Lookback = 1h;
// Signal 1: SSH enabled/used on ESXi shortly before mass VM kill activity
let SSHActivity = Syslog
| where TimeGenerated > ago(Lookback)
| where ProcessName has_any ("sshd", "hostd")
| where SyslogMessage has_any ("Accepted password", "Accepted publickey", "TSM-SSH", "SSH login enabled")
| project TimeGenerated, Computer, SyslogMessage, Indicator = "SSHEnabledOrUsed";
// Signal 2: burst of forced VM kills / power-off commands on a single host
let VMKillBurst = Syslog
| where TimeGenerated > ago(Lookback)
| where (isempty(ESXiHosts) or Computer in (ESXiHosts))
| where SyslogMessage has_any ("esxcli vm process kill", "vim-cmd vmsvc/power.off", "vim-cmd vmsvc/power.shutdown")
| extend WorldOrVmId = extract(@"(world-id|--world-id)[= ]([0-9]+)", 2, SyslogMessage)
| summarize KillCount = count(), DistinctTargets = dcount(WorldOrVmId), SampleCommands = make_set(SyslogMessage, 10) by Computer, bin(TimeGenerated, 10m)
| where KillCount >= 5 or DistinctTargets >= 5
| project TimeGenerated, Computer, SyslogMessage = strcat_array(SampleCommands, " | "), Indicator = "MassVMKill";
// Signal 3: bulk datastore file rename/delete of VM disk files in the same window (encryption/corruption in progress)
let DatastoreBulkOps = Syslog
| where TimeGenerated > ago(Lookback)
| where ProcessName has "hostd"
| where SyslogMessage has_any (".vmdk", ".vmx", ".vmsd", ".vswp")
| where SyslogMessage has_any ("Rename", "rm -f", "unlink", "delete")
| summarize FileOpCount = count(), SampleFiles = make_set(SyslogMessage, 10) by Computer, bin(TimeGenerated, 10m)
| where FileOpCount >= 20
| project TimeGenerated, Computer, SyslogMessage = strcat_array(SampleFiles, " | "), Indicator = "BulkDatastoreFileOps";
union SSHActivity, VMKillBurst, DatastoreBulkOps
| sort by TimeGenerated desc
critical severity high confidence

Three-signal detection over ESXi/vCenter logs forwarded to the Syslog table. Signal 1 flags SSH being enabled or used on the ESXi shell (SSH is disabled by default, so any use is notable). Signal 2 flags a burst of forced VM process kills or power-off commands against five or more distinct VMs within a 10-minute window on a single host — normal maintenance restarts one VM at a time, ransomware kills all of them almost simultaneously to clear file locks before encryption. Signal 3 flags bulk rename/delete operations against VM disk files (.vmdk/.vmx/.vmsd/.vswp), which is what the encryption or corruption routine looks like at the datastore-file level. Any one signal alone can be benign; two or more from the same host within the lookback window is a high-confidence hypervisor ransomware indicator.

Data Sources

VMware ESXi Shell.log, hostd.log, vobd.log, auth.log forwarded via syslogAzure Monitor Agent Linux syslog collectionvCenter Server task/event logs (if vCenter itself remains available)

Required Tables

Syslog

False Positives & Tuning

  • Planned maintenance windows (ESXi patching, host reboot, DRS maintenance mode) where an administrator or vCenter orchestrates an intentional mass VM shutdown across a host
  • Disaster recovery failover tests that power off VMs on a source host as part of a rehearsed cutover
  • Backup software (Veeam, Commvault) that briefly quiesces or snapshots VMs, which can appear in hostd.log as file operations against VMDK/VMSD files
  • vMotion or Storage vMotion operations that create transient rename/copy activity against datastore files during live migration
  • Legitimate SSH access by infrastructure teams for authorized troubleshooting, especially where SSH is intentionally left enabled in lab/dev clusters

Other platforms for THREAT-ESXi-HypervisorRansomware


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated ESXi VM Enumeration and Forced Kill (Lab Only)

    Expected signal: Shell.log/hostd.log entries recording the esxcli vm process list and esxcli vm process kill --type=force invocations with the target world ID, timestamped seconds apart. hostd.log records the corresponding VM power-state transition to poweredOff.

  2. Test 2Simulated SSH Enablement on ESXi (Lab Only)

    Expected signal: vobd.log records the TSM-SSH service state change to running; a subsequent successful SSH login appears in auth.log with 'Accepted password' or 'Accepted publickey'.

  3. Test 3Simulated Bulk Datastore File Rename (Lab Only)

    Expected signal: hostd.log records rename operations against the .vmdk-named test files in rapid succession.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-ESXi-HypervisorRansomware — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub